Does a known security issue allow ssh login via system accounts?

Brian Candler b.candler at pobox.com
Tue Mar 8 03:34:48 AEDT 2022


On 07/03/2022 16:14, Whit Blauvelt wrote:
> Found the culprit: me. I was stupid enough to install and configure for
> libpam-google-auth, given a company mandate to 2FA all connections with
> admin access, where it wasn't in scope to add 2FA to all client accounts.

Could you explain a bit more what went wrong?

In order to configure 2FA (*), I do this:

PasswordAuthentication no
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive:pam

The comma means sshd requires publickey *and* PAM authentication to 
complete.  I can't see how this can make it any less secure than 
publickey alone, which is why I'm wondering what went wrong in your case.

If you want to disable 2FA either for certain trusted users, or certain 
trusted source IP addresses, you can use a Match block, e.g.

Match Address 192.168.0.0/16
AuthenticationMethods publickey

On the other hand, if you're trying to enable *password* authentication 
with separate 2FA, then that's certainly much trickier to get right in 
the PAM stack.  I would go for public key or certificate auth instead, 
with 2FA on top.

Alternatively, think about doing public key auth using ecdsa-sk keys and 
a U2F token - they are very cheap. You need a fairly modern openssh at 
client and server side though.

Regards,

Brian.

(*) I'm using pam_yubico, but I believe the above should apply to any 
2FA challenge/response using PAM.




More information about the openssh-unix-dev mailing list